Wolverhampton City Council breaches DPA with document skip dump

Wolverhampton City Council breached the Data Protection Act when staff put personal information in a skip, says the Information Commissioner's Office.

Wolverhampton City Council breached the Data Protection Act when staff put personal information in a skip, says the Information Commissioner's Office.

The Information Commissioner's Office (ICO) was alerted to the breach in October 2010 when a local newspaper reported that council documents containing personal details had been fly-tipped by thieves who stole the skip from outside a community leisure centre.

The ICO found that, although the council had a contract with a waste management company for the secure disposal of personal data, council employees had failed to recognise the confidential nature of the information when they disposed of it.

Simon Entwisle, director of operations at the ICO says the breach demonstrates how important it is that staff who handle personal data have a good understanding of the need to keep it safe at all times, especially when it is being disposed of.

"An organisation's responsibility to keep information secure does not end when it is taken out of the building," he said.

Entwisle says the council has taken the necessary steps to ensure this type of breach does not happen again.

Simon Warren, Chief Executive of Wolverhampton City Council, has signed an undertaking to ensure staff are made aware of the council's policies on data protection and confidential waste management, and are appropriately trained in how to follow them.

The council is obliged to ensure compliance with the policies is appropriately and regularly monitored.

Eight principles of the Data Protection Act  


Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

Read more on IT risk management